All right. Well, it's great to be with all of you today. And I saw that a few of you last
night had one of those shots in one of those, at least one of those shots in one of those
rooms. But I really am pleased to be here. I'm glad to see a good crowd. This isn't my
first DEF CON, but this is my first time speaking. And Nico said that the topic, the way
it was listed, didn't have enough pizzazz, so she put from nuclear to cyber alternative
approaches. So I want to make sure I get the nuclear part in so you don't feel like you
wasted your time or wasted your ticket here. So when I was in the military, my primary
business was doing nuclear ops. But interestingly enough, when the Air Force stood up the cyber
mission, they gave that mission to my command, not because they thought it was like nuclear,
but because nuclear was a global mission and they saw the cyber as a global mission.
But what I want to talk to you about is, I'm going to talk to you a little bit about
today, is that we somehow are quite often constrained the way we think about cyber space,
except in places like DEF CON. And what I want to try to do is see if ‑‑ I'm actually
looking to get some ideas from you, quite frankly, because the people in this room tend
to think outside the box. But a lot of this is about looking at things a different way,
challenging assumptions and looking at the way that we think about the world. And so
the nuclear part of this is ‑‑
I want to think about what we did with nuclear weapons at the beginning. I wasn't born then.
But those weapons were being used for war fighting. And so when we dropped them in Japan,
they were considered war fighting weapons. Very quickly they said this is not a good
war fighting weapon. And it became what they now call political weapon. It was used a
completely different way. And then during the Cold War, it evolved to where the weapons
became something that actually caused the then Soviet Union and the West to start to
not fight because they were so worried that if they got into a big fight, that a war would
break out. So what's interesting is the weapons took on a completely different context than
they were originally created to do. I think there's some parallels to that in cyber space,
and that's what I want to try to talk to you about a little bit today.
And so first I want to talk a little bit about some different perspectives on cyber space,
different ways to look at it, I guess I should say. I want to remind you how we tend to look
at it typically from a network protection standpoint. And then I want to try to argue
for possibly a different model to look at it that would be a proactive view that looks
at both defense and then assurance, the ability to use it. There's another model that DHS
has put out that they call their cyber ecosystem and I just want to show you that if you haven't
seen it before. Actually looking for some feedback from it and then tell you about some
things we've done trying to put that to work.
work. And then I want to talk a little bit about cyber workforce development. I want
to extend that to cyber leadership. And what I mean by that is actually one of the big
problems we would have in the Air Force is that some of our very best pilots, they loved
flying so much that they never wanted to leave the airplane. And they got very good at it,
but they could never get promoted and get into some jobs where they could really influence
some of the things that were going on. And they'd end up complaining about it, but they
weren't able to move up. And so part of this in terms of leader development is I think
we need to do more of that in the cyber world because for the most part, the people that
are making decisions about what happens related to cyber space didn't grow up from the kind
of beginnings that you're all familiar with. So the first thing, and this is an old slide
that I used back when I was in the Air Force, and part of this had to do with trying to
get people in the Air Force to think differently about how they approach cyber space, what
I found was that there were three different ways that people in the Air Force thought
about cyber space. So the first one was the communications groups, and they said, well,
cyber space, it's all about, it's just a different way that we were able to communicate,
and so cyber space is what we do because we set up all the networks, we set up the
communication lines, you know, we manage those networks. When they break down, we take care
of it. And that was a view. That view is actually a proper view.
And then you had the…
The intelligence community that said, well, you know, the only way to really defend against
attacks that we're getting in cyber space is we have to have this really good intelligence.
And so, and the only way to therefore be able to defend the networks is you have to
be really good intelligence people. And so they argued that cyber space should be controlled
by the intelligence community because they're the only ones that would really fully understand
how the intelligence and what that meant.
And then, but the Air Force actually took a different view of this, at least initially.
And they said, you know, everybody uses cyber space, and as it grows, we're using it more
and more. And we use it for all of our different operations. At first, the things that we
did with cyber space, we used it to extend the things we're already doing. And if
I could use a commercial example, I mean, these days, nobody uses a, a, a Yellow-pages
anymore. You go on your — you know, go on your computer and you look something up in
You get a lot of information.
You can Yelp it or something else and get a review.
So that's an extension.
That's a legacy capability that you said I can use cyberspace to do that a little better.
But then you have some people that really took cyberspace and did things really differently,
like a Google or an Amazon where they said because of cyberspace, I now can do things
completely differently.
But up until now, for the most part, almost everything we do is through cyberspace.
We do very little actually in cyberspace to where we're operating inside the space and
there's some type of transactions that are occurring inside.
And so people say, well, cyberspace is a really different domain because you can't ‑‑ it's
man‑made and you can't operate ‑‑ you can't live there yourself.
You can go into space, you have to have a space cap, so you can't really go into cyberspace.
So they've had some hard times getting their arms around this, but the point of this is
that ‑‑
What the Air Force did was we're going to put cyberspace under the control of the operators
and what we did, we said, Intel, people keep doing what you were doing.
We want you to find out where the attacks are coming and help us defend.
And comm community, we want you to keep building up these physical networks for us and doing
all the things so we can operate.
So just some different ways to be able to look at this.
But then when we tried to figure out how you could leverage cyberspace, to tell people,
you know, the
reason that we have, you know, airlines is not so that you can have a TSA.
You have a TSA to do security so that the airlines can operate safely.
So it's the same thing.
I mean, with cybersecurity, cyberspace does not exist to have cybersecurity.
Cybersecurity is necessary so that you can operate properly in cyberspace.
But cyberspace is important because of all the things you can do with it.
And so one of the things that it does, it gives you this capability.
It gives you the capability to bring together all these different communities.
And as you see listed up here, you know, it can be whether it's a political, it can be
a military, it can be economic.
It allows you to do a lot of social things.
In fact, that's one of the big areas that we see growing up substantially.
And of course it allows us to have, you know, the information flows all over the world.
So it allows us to ‑‑ it's all about networking, right?
You have physical networks.
You have these informational networks.
And then ultimately, you have people.
Networks that are using this.
And that whole thing put together is what makes the cyberspace so tremendous.
But it has these interesting attributes.
And one of the attributes is that for the most part, when people are operating there,
you're anonymous when you're operating there.
Now, you don't have to be.
If you want people to know who you are, you can tell them, but otherwise you don't.
The other thing, if you're actually inside cyberspace, if you will, it's some kind of
an alter ego that's operating there.
Why?
Because you can't go there.
So, I mean, you have a user name or something, and it's what actually transfers through the
cyberspace.
So it's a different way to think about it.
The other thing that's made it difficult for people to fully accept this is there's no
such thing as time and distance, and it's kind of a funny anecdote that I like to tell
people about this.
We were doing an exercise, and it was a global exercise, and we had people in the Pacific,
we had people in Europe, and, of course, people in several different places in the
United States.
We were doing a planning operation.
Of course, everybody was using chat rooms and they had headsets on.
And one of the people that came in to watch this saw these two people right next to each
other, and they obviously were exchanging information with one another.
And the observers said, that's odd.
Why doesn't he just turn to the person next to him and tell him what he wants?
And we were kind of flabbergasted, but they didn't fully appreciate the fact that there
was another 200 people.
So, we were kind of flabbergasted.
They were working on this project, but they were in all these different places.
So this notion of time and distance is really different.
That extends to this being able to have a virtual presence.
It allows you to actually work with someone, and if you can break through the fact that
you don't have the actual human contact, you can almost feel like you're doing that.
There's two other things about it that I show here.
One is that with cyberspace, information has become a commodity, and as a result, we get
a lot of information.
In fact, we almost get more information than we can stand.
So now, before we used to pay to get information, now we pay people to sort our information
for us, right?
Because you get so much.
And then the last one is this idea of a smart agent.
And that, once again, is because you can't actually function in cyberspace, so you have
to have an agent do it for you.
And an idea of if we ever took the smart agent to its full potential.
Today, let's say you wanted to…
Order something off the Internet, like a tie to match a suit that you had, for example.
Well, you would go onto the Internet, you would run a search engine, find some places
that had it.
You might look up the reviews, and then you would select that tie.
You'd work the transaction.
It would then connect you with whoever's going to work the credit card, and then you get
your tie, and it gets mailed to you.
Well, if you had a smart agent doing this, you would actually just launch your smart
agent.
And the smart agent would then meet with all these other people.
They're smart agents for you in cyberspace, go make you the best deal you can find, and
then the tie would just show up in your mail, right?
You wouldn't be involved with this at all.
And eventually, I mean, hopefully, as a matter of fact, that's where cyberspace will go,
because you'll fully leverage the network, the networking capability it brings.
But again, cyberspace is very powerful, and just trying to expose just a different way
to think about it.
Now, this group here would understand this chart more or less.
More than the typical audience that I would talk to.
And one of the big challenges we have, both in the business community and then in the
government sectors, is that the way we operate, particularly in the West, is kind of a seniority
system.
So you start at the bottom, and then you work your way up.
And so if you look at the left side there, it's this hierarchical structure.
And the notion is, is that the higher up you are in that structure, the more power you're
going to have, the more value you have, and you're also better looking, or at least that's
what everybody that's at the lower level tells you, right?
Well, in cyberspace, it doesn't work that way.
It's a network.
It's a meritocracy.
There is no top.
There is no bottom.
And your real power comes from how many connections you have.
So I mean, if you have a lot of information, but you have no connections, then you also
have no power.
So the more connections you have, the more powerful you are.
And the other thing is that your value, it's a meritocracy.
So you can have a lot of connections, but if you all of a sudden kind of get lazy and
you're no longer contributing anything to the network, then your value to that network
goes down dramatically.
So that's very different.
Well, the problem that we have is that the people who have, after many years, risen to
some good level using that left‑hand model are kind of frightened by the right‑hand
model.
And they want to push back on it.
But the reality is, you don't have a choice.
When you're operating on a global system, it's going to operate like a network.
You can't force it into a hierarchy.
We kind of learned that with the automobile industry, by the way.
We thought that because we could control all the automobile sales that went on in the states,
they didn't need to do all the things from a quality standpoint, price control and everything
else.
And then the global market came in, and the U.S. auto industry almost failed.
It was very bad.
It was a very hierarchical approach.
They adapted those same kind of methods that were being done, became a global kind of a
business again, and now they're starting to thrive, and they're actually doing very well.
So understanding that you can't always force the model to operate the way you want is important.
But for this group, understanding that you're fighting the model on the left, but you need
to keep doing that and recognize that you're operating in this network, but there are people
that want to connect with you.
So this should look very interesting.
I'm very familiar with you.
This is the traditional way that people look, and I say in the Department of Defense, this
is how they would look at enterprise network protection.
And in the interest of time, I don't want to walk through it, but this came out of ‑‑ there
was a national military strategy for cyberspace ops, came out in 2006, and then when they were
looking to figure out how they were going to implement it, they said, well, what are
the different things we need to deal with, and they realized that the attack vectors
that are involved in doing this are different.
Tremendous.
I mean, there's all these different ways that you can get in.
This community knows better than most all the different ways you can get in.
One of the funny things, though, is if you want to call it funny, is that they kind of
ignored the social part of it, which is probably where a good 80 percent of the attacks actually
come from.
And when you look at some of the things they have, the ways we try to do law enforcement,
the C and DRA, that's the commuter network defense response capability, so it's a ‑‑ if
you launch an attack, then you're going to be able to do it.
You'd have some kind of a response.
But the reality is when people look at this, they say, you know, that's an awful lot of
different ways that somebody can get at me, so it must be impossible to protect.
And realistically, and this community would know, if you take this pure approach, it is
going to be impossible because the advantage goes to the offense in something like this,
and you can't possibly defend against every possible thing that's going to happen.
So that's why I'm suggesting ‑‑ we need to do this.
We need some alternatives to this.
We need to have some different ways to think about this.
And I asked if I could talk to this group, because if there was anyone that would be
able to find or come up with some ideas, I figured we'd come out of this group.
You're phenomenal at solving problems, right?
So there's one other thing I just kind of wanted to introduce in terms of the problem
set here, and that is if you look on the far left side of this, you see the DOD networks.
Well, they're ‑‑.
They're controlled and operated a certain way.
They're somewhat closed.
They've done a lot of work to reduce the gateways to the Internet, but there are still gateways.
But there's an awful lot of information that's available from a protect standpoint.
So they've got a lot of intelligence, and intelligence comes from a lot of different
means, and that intelligence is not widely shared.
Now, they extend some of that to the other government networks, and they brought in the
defense industrial base.
That's what the DIB stands for.
Because, they said, you know, our adversaries are now going after the defense contractors
who are not as well defended.
So based on that previous model, they're going to have to have more information to be able
to protect themselves.
Then as you move a little bit further to the right, now you get into where you're dealing
with like state ‑‑ still government, but you have state and local governments,
and they get information, but they don't get as much information as they're getting
on the federal side, and they don't get the same levels of protection.
And, of course, you have ‑‑.
You have the
Department of Defense has, but the sources are really good.
And as a result, in the commercial industry, you know, people are coming in and they're
going to ‑‑ and being able to obtain products that really do provide a level of
protection.
But it's still based on this old model, I guess I would say.
One other thing I wanted to show here is, which goes back to the nuclear part, is you
get all the way to the bottom where it talks about the weapons of mass destruction.
You may or not be happy to know that none of those operate on a network as you would
think of it.
They all use circuits.
And that's done for obvious reasons.
They're worried about somebody getting in.
The other thing is it's highly redundant.
So it's not the ‑‑ let's say the most efficient way, but it's a time‑proven way
to be able to do ‑‑ to protect a particular piece of information or capability that you
have to have.
All right.
So I said I wanted to give you two different models to look at.
And what I'd really like to do is hopefully stimulate someone to come back and say, have
you thought about this model?
And come up with, say, a third model.
But this one is actually ‑‑ was developed by an Air Force scientific advisory board
studied back in 2008.
And their approach to this ‑‑ if I could just take a few minutes to explain the chart
‑‑ is they took the ISO layer.
So if you look in the middle, you'll see the ISO layer kind of identified there.
But they put them together so you don't see seven.
So they put devices and linkages together, hardware systems together.
But then they added two layers to it.
They put a human organization and mission layer.
So that was ‑‑ they started with that foundation and they said, so what do the
attacks look like on those different layers?
And so what you see on the left are the things that they did to try to characterize how those
attacks would be done.
And when you look there, the reason I put this attacker focus is if you're going to
try to deal with those different types of attack, that means you have to focus on the
attacker and get the intelligence on how the attacker operates.
Then the other thing they did was they said, well, what is the effect of those attacks?
What are the effects on the users?
And you see those listed on the right‑hand side.
So at those high levels, there's disinformation and you get confusion.
It disrupts our ability to do command and control.
The bottom layers, you get performance loss, you lose your communications, completely malfunction.
So the reason they thought this would be useful is on the right side, that's almost completely
done by the operator and we would refer to it as resiliency or mission assurance.
So what they said was if you're going to try to deal with this problem, you would need
to look at this thing and break it into component parts.
I don't know how many in the room are engineers, but that's how engineers think.
You take a complex problem and break it into parts.
And so they would start trying to look at this thing.
So on the left side, you have this intelligence and attack response.
That's the traditional with your network security.
You have this mission assurance, which has been a traditional way that the military
in particular, but businesses do the same thing, business resiliency.
. . . . . .
One of the things the business community, particularly the financial community does
that we don't for the most part do with our network is transaction controls.
So there's this anonymity on the network.
But if you put controls on the network, then typically it's a ledger, journal type approach
but it makes it more difficult for something to get a change to be made, an alteration
to be made without it being detected if you put that in place.
And a lot of businesses have those kinds of controls.
. . . . . . . .
avoid embezzlement, by the way. But then we put this other thing in there, we said it
would be a proactive defense. And what the Scientific Advisory Board said, as a matter
of fact, if you look at these different layers, if you think of them as targets, then if this
were a military problem, you would look at those targets and say, what can I do to make
it difficult for my adversary to be successful? And there's three typical things that you
do. You can harden it, you can maneuver it, or you can obfuscate it like stealth or make
it camouflage so it's hard to see. So they said perhaps we should identify some of these
really critical areas, and that's how we should be looking to spend our resources. But part
of the problem is that we have not had a lot of good proactive ways to deal with this developed.
But I wanted to show you some of the things that have been done. So if you look from a
purely
network security standpoint, and you look at this left‑hand side there, what we can
do is say, well, in addition to the normal thing, they've set up these virtual machine
sandboxes, they've done things to monitor user behavior, to look to try to detect to
say that it's not the right person on there, some kind of two‑factor authentication.
There's been some transaction controls done, primarily in the business community, because
it kind of fits for them easily. There's products out there that will monitor your
registry and, for example, in fact, in the Department of Defense now, they have what's
called a host‑based security system. When you first connect to a network it actually
looks to see if your registry looks the same as it did before and it alerts but doesn't
do anything to fix it, but it alerts you that the registry looks different.
You can do things with the hypervisor that you guys probably know more about than I do, that actually monitors the cyber attacks, there are some that you can do to basically monitor the security system, there's a hostBS security network
how the operating system is behaving to see if it looks like someone tried to put something
in there. And then at these lower levels, you know, they can put in resilient capabilities
that if something happens, if it takes out a router or something, there's another pathway,
that type of thing. But these are still the fairly traditional approaches. If you want
to try to take a look at how you deal with these targets, these are some of the things
that a lot of them, they become more process oriented. If you found some ways to put some
technology behind it, it could be very useful. So the idea of the two‑person control, that's
another nuke part of this thing, which is one of the ways that they make sure that some
single person can't do something with a nuke is you can't do anything unless you have two
people and they always put the controls far enough apart that you can't possibly do both
of them at the same time. If you're trying to deal with people understanding the target,
so if you're a good hacker and you go in and you start looking at a system and you start
doing all of your ‑‑
If that system changes, so they rotated the process they're using, they changed the system
or the process, then you have to start over again. So that's considered one of the proactive
ways that you can defend. That's a maneuver type or a movement thing.
The session controls, they put a lot of ‑‑ there's some different products that work with
session controls now that look to see if a session has been hijacked and they basically
‑‑ they can terminate the sessions and minimize loss of data.
They can do a lot of damage to the system when they do that. There's been some things
done with operating system obfuscation that actually looks like it has a lot of promise.
The only reason you don't see much of it being done is that once you do that, the
people administering the network have to know a lot more about the systems to be able to
deal with it because it's going to look different to them every time. So they have to know what's
behind the curtain to make it work. And then at the bottom you see there is the banks do
a lot of this, by the way. You can see the banks do a lot of this, by the way. They're
going to have to do a lot of this.
The other thing that they do is they shift their hardware. So by rotating hardware is
the same thing. When you're trying to ‑‑ if a hacker is trying to come in, one time
they go in with one piece of hardware, another time it's a different piece of hardware,
complicates the problem for you. And then the other thing they try to work with is device
diversity. That's not what they do in the Department of Defense, by the way, which
is a little bit problematic is they want to make things standard, so they make ‑‑ they're
all the same, right? But with no diversity, if something goes wrong with one of them,
then they're all going to fail. But in the business community, I think we've been a little
smarter about that. So you see a lot of diversity with machines, operating systems, routers,
all parts of the network. So that's one way to think about the proactive defense.
I bring this to this community to look at because you might have some ideas for how
technology could aid this. But when you take a look at how you do things from a mission
assurance standpoint, it typically involves having some type of redundancy. So if you're
trying to determine if someone has done something with your sensors, if you have more than
one sensor, you can compare them and at least you know that somebody has done something
with that. In an airplane, that's pretty typical. They have a ‑‑ all of the critical
flight controls all have a backup, and one that you do all the time is check to make
sure that they still are the same, and then if one of them is ‑‑ if they're different,
then you try to figure out which one is correct and which one is wrong.
You assume in most military operations that you're going to lose communication, so they
put in what they call lost communication processes. And so if you put those kind of things together,
that's another way that you can deal, particularly with some type of an attack that actually
causes your comms to go out. The redundant type apps means that instead
of just using one particular application to do whatever your process is, you have more
of one. By the way, in the Department of Defense,
that's an anathema to them. They say we're going to standardize it and we're going to
save money because we only have one. Business community says I want to have three or four
because if one breaks or one quits work and I want to have a backup.
They started dealing with some of the attacks. I wanted to go to the talk yesterday. I was
talking about some of the ways to beat some of the systems for dealing with the DDoS attacks,
and I wasn't able to make it. But I'm going to go into more detail in just a couple of
But they have some things that they put in place there that at least would try to mitigate
some of those effects.
And then when you get down to the hardware layer, the only way to do it is to have more
than one path.
One of the strange things about people when they talk about cloud computing and things
like that, cloud computing is great, but if you've only got one circuit leading to the
cloud, then you only have a circuit.
So if you don't figure out a way to leverage the cloud and you don't have multiple pathways
into the cloud or network, then you have a limitation.
So that's this one model that I guess I'm hoping that some of you would have some good
ideas on how to do that better or some technical ways to take advantage of that.
This next one is one that was actually put out by DHS, and their idea was they were going
to try to treat a problem.
cyberspace as an ecosystem. And the thought there was you're going to have a static defense
but you're also going to have this dynamic defense. And if you look up there, the things
that they have on there that prevent, those are pretty typical that you would expect.
They've inserted a couple other things that they would like to see added, like the moving
target idea that I talked about in the other one. But a big part of this thing is that
you want to have a way to detect that something happened. Because for the most part, most
of the major attacks that occur, whether it's in the commercial sector or it's in government,
it happens because they actually start seeing the impact. And by that point, it's so far
down the road that it's very difficult to contain. So trying to put processes in for
detection gets to be important. That's still considered kind of the static piece of this
thing. On the dynamic side, they want to have a lot of information sharing.
Why?
Because if you're only looking at small points, it's one thing to be able to sneak under the
radar because you avoid crossing a level. But if you're able to bring in from multiple
places and say, hey, there's this kind of odd behavior abnormality here, same thing
here and same thing here, now you say maybe there's something going on and by combining
the information you can leverage that. When you see that, then they want to have processes
in place to respond. And then as soon as they can kind of put things
under control, then they want to have processes to recover.
Part of this recover, by the way, and it's kind of interesting, when talking to some
people from 9-1-1, they said they thought that 9-1-1 was the first cyber attack. And
the reason that was nobody could talk to anyone after it happened. It took out the
‑‑ nobody could talk on a cell phone because everyone was trying to talk at the same time.
They asked when the towers went down. It took out some of the PBX systems. So Comm virtually
stopped in New York City. They didn't even know what was going on because it wouldn't
the time when they really needed it and even the first responders were having difficulty
with communications. Something similar with Katrina in Louisiana, they actually saw where
there was a problem occurring with one of the levee breaches, but they didn't have a
way to communicate because they had lost the power and once again they didn't realize when
they lost their PBX system, the cell phones at that time were all tied into the PBX system.
So once they lost that, they couldn't communicate so their ability to first respond was lost.
So when they talk about response here, a lot of this has to do with having courses of action
that get you up very quickly to where you at least have a capacity to continue to do
these public safety types of things. But you see at the bottom, they want to try to establish
a trusted broker and that's what they try to do with these information sharing and analysis
centers, these ISACs that they've established.
So we did it.
We did a workshop, the Cyber Innovation Center for DHS. We brought some people in from industry.
We brought people in from academia. We had people from government and of course we had
people from DHS. And we actually tried to look at some different situations that were
‑‑ would be dealing with a first ‑‑ of course DHS is interested in some kind of like
a hurricane type thing. So we were dealing with a couple of different scenarios that
might be a DHS‑type operation.
We started looking to see what would be the impediments to doing this. And I got pages
and pages of the things that they highlighted. But a few things just to highlight that I
have here and my goal is not to read this to you because I want to leave you some time
for questions. But the bottom line was that even when we had these experts in the room,
it was very difficult to get them to think beyond the protect piece because we would
tell them it didn't work. It didn't work. It didn't work. It didn't work. It didn't
work. We've lost cyberspace. And they always wanted to go back and fight and say no, that
will never happen. We said no, it did happen. You have to deal with it now.
And that mindset makes it very difficult to get these other parts resourced because, you
know, the government, businesses for that matter, they don't want to spend money for
things that they don't think are going to happen, obviously. So part of the thing we've
been trying to do, the DEF CON community does a great job of this, which is highlighting
the fact that it's ‑‑ if someone really wants to do this, we're going to do it. We're
going to do it. If someone wants to get into your network, they're going to get in. And
we keep trying to reinforce this with people in government and in business. But then to
get them to actually do the resources is really difficult.
The balancing piece that you see there really has to do with the fact that they always want
to put the money into the protection, which is good. But we've argued that if you assume
that the protection is going to fail, there's some smart things that you can do to set the
stage in advance.
So that your ability to basically respond, minimize the impact and quickly recover would
be helpful.
We then talked about some things from a detection standpoint that there's a lot of noise on
most of the enterprise networks, makes it difficult. A lot of the things that they have
that are the automatic detection mechanisms throw out so many false alarms that it's very
difficult to deal with. So this is actually one of the things to go back to the operator,
the operational community. So whether it's a business or ‑‑
The government, the people using the systems say we really need to have you not do these
things because when you do that, it throws so much junk on the network that we can't
really tell when something is going wrong. There was a lot of interest in trying to set
up these automatic systems to where the machines would automatically respond to deal with these
things. And there's some problems with doing that, particularly with some of the drastic
or draconian response you would have. So one of the things we discussed is that you're
really ‑‑ you need to have a way that you can keep a human in this decision‑making
loop but be able to basically be operating a sensor response system that basically goes
at the speed of information. And then finally, I guess I actually talked
about the last one there about the balancing the ‑‑ this is really for the people
that figure out where you should spend your money. They need to have a process that figures
out how to do that.
So now this is my appeal to this community here. When you look at this work force, these
are the different elements that are involved in doing this work force. And if I went across
this room, you'd see that parts of you are involved in all these different places here.
And we do a lot of stuff looking at trying to eliminate the vulnerabilities and we do
a lot of things where we try to go find out what the threats are. But there's some really
good opportunities in the software.
There's the security and the insurance in the parts that actually look at the resiliency
and the transaction controls and then what are the things we can do to help make the
users of the network more accountable for their actions and more careful about their
processes. I bring this to you because I think this community could actually implement
this and make this work.
So that's the work force part of it. The leader part of this is kind of interesting. This
is a typical model for any kind of pyramid‑type organization. This is kind of an inventory.
But you have all these different functional specialties at the bottom, and just like we
showed on that little chart before, the communities come from many different places.
We tend to get very good in those individual areas.
But the people at the next level, which we call the operational leaders, they're the
ones that are able to integrate and pull these things together.
In the cyber community, we haven't done a very good job of figuring that out.
We tend to be very stovepipe.
So a lot of the things we've been trying to do is encourage people who have expertise
in one part of the cyberspace to cross over and do something else and learn about that
other piece of it so that they can help later with this integration.
At the strategic level, that's where you're actually trying to tie the thing back in and
you're trying to make it useful.
And the other part that we're trying to do is we have a lot of strategic leaders today
that know virtually nothing about it.
They know about cyberspace.
They don't want to know in some cases, but it's incumbent on us to try to get them to
understand the things that you know about cyberspace so that they can be better strategic
leaders and they can better leverage cyberspace.
So that's what I hope that I was able to talk to you about today.
I think I left this with a few minutes for questions.
I'm happy to take questions.
I brought my pen with me because I'm also happy to take ideas.
But thanks so much for spending time with me, and I hope that you have a great DEF CON.
Where you going?
You don't have any questions?
You with the long hair, come back here.
Anyone have any questions?
Come on.
They needlessly say they don't give us wireless mikes here.
.
You really tantalized us with conversation about nuclear weapons and they're not connected
to the Internet but connected via circuits. I know you probably can't give us details
but at least tell us you've got the best people on this.
And it's all two‑man control, too. So, yeah, no, they're ‑‑ the Department
of Defense and the Department of Energy both put their best people on. It's kind of interesting,
you know, we talk about this two‑person thing, by the way, it even goes to the Department
of Defense does not own the weapons, the Department of Energy, and it's done that way, everything
is split right down to the weapons itself. So the Department of Energy owns the weapons,
not the Department of Defense. So it's that kind of approach that they really try to lock
themselves into. I tell you, it's kind of interesting, if
you think about administrators on systems, and see, the banks do this, by the way, they
‑‑ you know, the banks do this, by the way, they really try to lock themselves into,
they set up their super administrator accounts, and it takes two people to be able to get
into the log or do anything to affect it because they don't want anybody tampering with the
logs. Once again, it's a two‑person approach to things. The point is there's a lot of things
that we can do that wouldn't necessarily cost a lot of money, but we just haven't had the
people think it through enough to figure out how to do it, and we don't have the people
with the expertise. So ‑‑ Earlier you draw the comparison between
TSA and cyber security. I was wondering, so we know if we don't have a TSA, we know
the kinds of things that can happen, you know, people put bombs on planes, people turn planes
into bombs. Could you imagine a cyber world without a dedicated cyber security force and
what that would look like? Why do we need that in a way that we need the TSA to protect
lives? Well, when the Internet was established ‑‑ what's funny about the Internet, when you
go back to the initial ARPANET, I'll give away some of my age, I got to use one of the
initial ARPANET terminals, and it was just a research thing, and it was just trusted
people that were working together, just like you would go to a bar and you'd tell your
buddies a story about something going on in your life.
And you trusted them, and that's the whole origin of this thing. So now what's happened
is after the fact, we're having to figure out a way to make sure that people don't use
it against you, if you will. And so the cyber security is basically how people can still
use cyber space, but have a way to feel like they're still protected. But the reality is
I think you need to have a dedicated cyber security force, but I also think that one
of the mistakes that we make is we let our users off the hook, particularly on these
enterprise systems, and we don't hold them accountable for their actions because the
best defense at the point of the spear is for that person, that operator that's on
the system to say, you know, that doesn't look right, and then do something about it
rather than wait until it gets to be so big that you do have to have the cyber security
professional come in and deal with it. But, no, there's no way we can ever go back. The
security field is going to continue to grow. My argument here is there's some other ways
it should grow beyond just purely a security standpoint and expand into this defense, more
proactive defense and possibly even this mission assurance type of approach.
So I'm sure everyone is happy to hear that Elvis Presley is in the house and has a question
about cyber. Thank you very much. Thank you very much.
I'm Elvis. You may have heard of me. I'm kind of a big deal in the city. So one thing
that has happened in history is like for Pearl Harbor. You know, Pearl Harbor came
out of nowhere and brought us in, even 9-11. Before 9-11, there were people already saying
the things that needed to happen, and no one wants to spend money until after the crisis.
We even saw it for Y2K. You were probably like 50 then.
So even for Y2K, even for Y2K, though, there were people saying, you know, there's
problems in code and when it rolls over, there could be a problem. There were people that
told Congress this. And we always waited until the last minute. For cyber, we're doing the
same thing. We're saying the same stuff. And I'm glad that you're here and you're giving
a lot of good information and you're soliciting information. I think that's great to partner
like that. But what's being done to actually get the wheels to actually turn the wheel?
Are we going to have to have like a cyber Pearl Harbor before anybody really wants
to put money into this? Because everything is going to cost money, no matter how smart
we are.
So that's a great question.
So first, Elvis, the bad news is that history has a tendency to repeat itself. So before
we really see them putting the money into this that they need to, they probably will
end up having to be a cyber Pearl Harbor. That's the bad news. The good news is that
in
a lot of the sectors, business people like to make money. But they're also risk adverse.
So they actually bring in risk management principles into the way that they do these
things. So a lot of these companies are now starting to invest the money that they need
to, particularly the larger companies. I'll tell you, the defense contractors, they now
with what they now know about what the threats are, they're definitely putting money into
these types of things because they're fully aware. The banks understand it. Some of the
other communities have done that. So the communities that recognize that their ability to continue
to operate the way that allows them to make money or to do their business, they are now
starting to put money in those kinds of places. But we're still like maybe 10 percent of all
the sectors in the United States, and everybody else just assumes that the government is going
to protect them from this. And this is not true.
It's not something ‑‑ I mean, cybercom is not going to protect the small business
owner from a cyberattack. So once they figure that out, that's the first thing. I tell people
it's like the 12 steps for an alcoholic. The first thing, you have to admit you have
a problem. Most people ‑‑ and I said the thing that scared me when we did this
one workshop, I had these experts in there, and even with those experts, they kept trying
to go back and say, well, clearly we'll figure out a way to keep this from happening. And
it's very difficult to get people into that mind‑set. It's one of the things that you
guys through these conferences do is you highlight the people that there are these vulnerabilities
and hopefully, you know, repetition, they'll hear it. And so I applaud you for doing that
and I encourage you to keep doing that because it's the only way we're going to get the
message across. Three questions.
One question. There's two other people waiting. We've got to get out of here.
Okay. I'll say all three at once and you get the answer. All three.
All of them at once. I like it. You're manipulating the system. That is inappropriate.
One of the things that we've seen DARPA do is they've engaged the community through the
cyber fast track. Apparently cyber fast track has now been turned off. Will DHS or anybody
else pick up this or will the money go to the big contractors and slow innovation or
will we see the same kind of initiative ‑‑
No, I don't think so.
‑‑ engage this community to develop those unique ideas, those unique defenses?
So, I didn't realize ‑‑ I thought DARPA still had money in the cyber fast track.
Defunded.
But that is somewhat typical for DARPA. DARPA's thing is supposed to be able to get something
started and then have others try to pick it up. So what I can tell you is DHS does have
some programs.
In fact, the stuff that I do at the Cyber Innovation Center, which is pro bono work
for me, is work that's actually funded by the National Science Foundation and by DHS.
But if you go around the country, there are a number of ‑‑ and they tend to be nonprofits
that have stood up all around the country that are starting to take this thing on.
So it's becoming somewhat of a grassroots effort.
And I'm actually encouraged by that.
There is a lot of interest to do that.
So it's not going to have the kind of funding that DARPA was able to put into it, so that's
the challenge.
Yeah, the other thing that's being defunded is the DIB.
You've mentioned the DIB during this whole process.
Who's going to take that initiative?
Well, so the DIB pilot went out, but the information sharing continues.
So they do still have the information sharing piece.
But they're using it.
They're using the ISAC to do it now.
Yes, sir?
To what degree do you think from an information assurance standpoint we can start selecting
for what Nassim Tlaib, the guy who wrote Black Swan, would call anti‑fragility,
the sense that right now we're in an environment of few large targets, large fragile targets,
crack once, exploit everywhere.
Where what we need to do is start going ‑‑.
Right.
We need to start going towards a diversity of smaller, more robust targets.
How are we going to get that changed around since the business imperative seems to be
towards consolidation, conglomeration, and single‑source support, much the way that
DOD does?
You're exactly right.
It's a huge problem because particularly in the business community, they're looking for
efficiencies.
Right.
And with sequestration in particular, everybody is looking for efficiencies in government
as well.
Where I see some encouragement, by the way, for your question is actually in the business
community and the process that they're using is a risk management process.
They apply it across their business.
They're now starting to apply it to their cyber systems.
What I'm worried about is that they're now starting to do some things like in the industrial
sectors with the industrial controls and things like energy, transportation.
They're now starting to look at this.
But it turns out they're looking at it and they say, you know, we designed it to be this
very efficient system.
It's difficult to go back in and reengineer it to be the other way.
But they are starting to do it now.
The only way to keep this thing going is we have to keep ‑‑ you know, we have to
keep telling the business owners, we have to keep telling the Congress that it's important
to not put all your eggs in one basket and demonstrate to them what could happen.
MR.
Sir.
MR.
I get a lot of talking about the processes and the high‑level strategies.
One of the things I've seen over and over again in government organizations that I've
worked with is that this is about the people.
The government has gone to a point where it's about the certifications you have, you know,
DOD 8570 and so forth, to where we've lined a lot of pockets of certification companies
in an effort to prove that people know these skills.
But on the outside, in the commercial sector, that doesn't seem to be the case.
They don't have as much desire to have people with certifications as to be able to prove
that they can do the job.
And if they can't do the job, they move on.
And they have a hierarchy set up to allow people to grow within their organization.
In most government contracting companies that I've seen and in the government, military
and civilian markets as well.
They want people to get a large breadth of knowledge.
Is there any thought about maybe changing that paradigm to where we get specialists,
where we let people focus in on the technical aspects, on the things they like to do that
they're good at and let them stay there without penalizing them within the system and maybe
getting away from making it so hard to get rid of people and encouraging growth from
within?
MR.
Yeah.
So to be perfectly honest.
MR.
I still have friends in government that work on the personnel sides of things and they
actually are looking at the exact type of thing you're talking about.
A lot of the standardization piece was kind of funny.
They actually were trying to mimic what they saw on the outside and they said we should
try to do something like that.
But of course whenever the government does something, it turns into it's very bureaucratic
and you kind of lose sight of the actual objective and you get locked into all the processes.
The bureaucratic processes.
But there's a huge effort, number one, to try to grow a cyber workforce, particularly
in the Department of Defense, but in the other government agencies, and they're looking
to find ways to make it attractive, quite frankly, for people to do that.
So the types of things you're talking about are all being considered.
And so one other thing, by the way, I'm not in that business myself, but I have a lot
of friends that still work with that.
And so I'll give you my card because I'm looking to get those ideas and I'll pass it
to them.
So let me make sure I give you a card before you run out of here.
Thank you very much.
Yeah.
Okay.
All right.
So we need to clear the stage for the next speakers, but we're going to take the general
over to the panel.
And the Chill Out Cafe, so he'll do some Q&A there before he heads out to the airport.
All right.
Thank you very much.
